Re: [inbox] undetectable NIC in promiscuous mode

["Secdigital" <secdigital () san rr com>]

Here is a "read only" Cable. Note that the interface does not have to be
assigned an address and that (for most hubs/switches) one and two needs to
be shorted so to have current to bring up the link light.



Philip Bartholomew
Secdigital () san rr com



----- Original Message ----- 
From: "Chris Brenton" <cbrenton () chrisbrenton org>
To: "Curt Purdy" <purdy () tecman com>
Cc: <Jose_Maria_Gonzalez () dell com>; <honeypots () securityfocus com>
Sent: Friday, March 05, 2004 12:48 PM
Subject: RE: [inbox] undetectable NIC in promiscuous mode


> On Fri, 2004-03-05 at 12:29, Curt Purdy wrote:
> > Yes, there are protocols that do not depend on ip such as arp, dhcp, and
> > others.
>
> Humm, I've never seen this myself. Please describe a situation I can try
> and duplicate were an interface that does not have IP bound to it would
> start transmitting ARP or DHCP packets.
>
> > A sure way to avoid
> > detection is to snip your TX lines 1&2.
>
> This _does not_ work. I have tried this with both switches and hubs from
> 3COM, Cisco, D-Link & Netgear. Cutting the TX lines means you can not
> initial the port to establish link. No link means you will not see
> traffic.
>
> HTH,
> C